PHDS

Use Adobe Media Server 5 to serve live and on-demand protected content to Flash Player and AIR over HTTP without using a DRM License Server. When Adobe Media Server packages the content, it generates the license and embeds it into the DRM metadata of the content stream. This feature is called Protected HTTP Dynamic Streaming (PHDS). In addition to encrypting content, PHDS also supports SWF verification for HTTP Dynamic Streaming.

The F4F packaging process for on-demand and live PHDS generates a license, embeds it in the DRM metadata, and delivers it with the media. Flash Player 11 and AIR 3 clients can retrieve the license from the content stream, which eliminates communication between the client and a License Server.

The Adobe Media Server installer generates credentials, certificates, and policy files to the rootinstall/creds directory. The installer also creates a common-key.bin file in the /creds directory. You can change the content of this file or create a new common key file. To create a common key file (common-key.bin), which is used to derive the Content Encryption Key, use the Scramble tool. See the Scramble tool.

Use the following policy files to generate licenses for on-demand and live PHDS.

Policy name

Description

phds_24hr_policy.pol

24 Hour limited policy

anonymous; 24 hours limited license caching.

This
is the default policy.

Users can start playback within 24
hours of the time the content was packaged. Users can continue watching
the content until the end of the content (users may pause content).

Set in the same way as the 24 Hours
Limited / No Output Protection Policy policy with an additional
restriction to use hardware content protection, if available. Users
are still able to playback media if the client hardware doesn't
support Output Protection. If the client hardware supports Output
Protection but it is disabled, Flash Player returns DRM Run Time Error:
3342 (NoDigitalProtectionAvail).

phds-OPBestEffort.pol

(AMS 5)

Unlimited / Best Effort Protection
Policy

Set in the same way as the Unlimited / No Output Protection
Policy policy with an additional restriction to use hardware content
protection, if available. Users arestill able to playback media
if the client hardware doesn't support Output Protection. If the
client hardware supports Output Protection, but it is disabled,
Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail).

phds-24hr-OPRequired.pol

(AMS 5)

24 Hours Limited / Required
Output Protection Policy

Set in the same way as the 24 Hours
Limited / No Output Protection Policy policy with an additional
restriction to use hardware content protection. Users cannot playback
media if the client hardware doesn't support Output Protection.
If the client hardware doesn't support Output Protection or if it
supports Output Protection, but it is disabled, Flash Player returns
DRM Run Time Error: 3342 (NoDigitalProtectionAvail).

phds-OPRequired.pol

(AMS 5)

Unlimited / Required Output
Protection Policy

Set in the same way as the Unlimited /
No Output Protection Policy policy with an additional restriction
to use hardware content protection. Users cannot playback media
if the client hardware doesn't support Output Protection. If the
client hardware doesn't support Output Protection or if it supports
Output Protection but, it is disabled, Flash Player returns DRM
Run Time Error: 3342 (NoDigitalProtectionAvail).

The simple unlimited policy is not intended for a regular use.
It is provided as a temporary work around in case there is an issue
with the network. When media is cached on network devices between
Adobe Media Server and Flash Player, clients may receive expired
policy data from the network instead of the expected media from
the server. If media that was generated with the 24 hours policy
is cached for more than 24 hours the player does not allow playback.
Switch to the unlimited PHDS policy as a temporary solution until
the network configuration is fixed and the caches are flushed. This
solution allows you to distribute media with lower protection instead
of not distributing the media. After switching to the Unlimited
Policy, flush the caches to allow the unlimited license to propagate to
clients.

Adobe Access

To deliver live or on-demand content with HDS, you can enable HDS with Adobe Access for protected streaming. The Adobe Access server for protected streaming is a license server implementation optimized for use with HDS. See the Adobe Access documentation for more details.

Important: Use the HDS packagers to both encrypt and fragment content. Do not use the Adobe Access packaging tools to encrypt content. The HDS packagers cannot fragment encrypted content.

After you have deployed Adobe Access Server for protected streaming, configure Adobe Media Server to package and encrypt the content in real-time.

Live use case

In httpd.conf, ContentProtection tag is
specified under <Location hds-live>.

Whereas, both the Application.xml file and the Event.xml file
have a ContentProtection container that holds the
live PHDS configuration settings. In Application.xml, the container
is located under //Application/HDS/Recording/ContentProtection.
In Event.xml, the container is located under //Event/Recording/ContentProtection.

Getting Started

To quickly get started with PHDS, you need to understand
the following directives:

Directive

Default Value

Description

HttpStreamingEncryptionScope

content

Possible values are off, content, and server.
When the value is off, content remains in the unprotected format.
When the value is content, configuration settings in the application.xml
or event.xml files are used to protect the content. When the value
is server, configuration settings in the httpd.conf are used to
protect the content.

HttpStreamingProtectionScheme

PHDS

Encryption type for the content. It can
be FlashAccessV3, FlashAccessV2 or PHDS. HttpStreamingProtectionScheme
is applicable if encryption is enabled. Use HttpStreamingEncryptionScope
to determine the scope of the encryption.

To configure PHDS with basic settings, perform the following steps:

After installing Adobe Media Server, navigate to the <root-install>/Apache 2.4/conf/ directory. Edit the httpd.conf file and add the following tags under <Location hds-live>:

Publish a live stream called “livestream?adbe-live-event=liveevent” to livepkgr.

Playback the stream using the URI http://<server-ip>:8134/hds-live/livepkgr/_definst_/liveevent/livestream.f4m.

Detailed configuration

The following sections provides detailed configurations
for both PHDS and Adobe Access schemes.

Server level

Server-level configurations for live PHDS/Adobe Access

When server level configuration is specified, the protection
parameters specified are applied server wide. Encryption parameters
specified in Application/Event level will be ignored.

Flash Media Server 4.5.3 and higher allows setting the encryption
configurations at the server level. These settings will apply to
live events recorded on the server. To enable or disable encryption,
configure the following directives for the f4fhttp_module in
the Apache httpd.conf file:

Possible values are off, content, and server.
When the value is off, content remains in the unprotected format.
When the value is content, configuration settings in the application.xml
or event.xml files are used to protect the content. When the value
is server, configuration settings in the httpd.conf are used to
protect the content.

HttpStreamingProtectionScheme

PHDS

Encryption type for the content. It can
be FlashAccessV3, FlashAccessV2 or PHDS. HttpStreamingProtectionScheme
is applicable if encryption is enabled. Use HttpStreamingEncryptionScope
to determine the scope of the encryption.

PHDS configuration

Directive

Default Value

Description

PHDSCommonKeyFile

<AMSInstallDir>/creds/common-key.bin

A common key used to protect content at this location. PHDSCommonKeyFile path is relative to rootinstall/Apache2.4.

PHDSVideoEncryptionLevel

2

The level of encryption for the content (0-low,1-medium, 2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client, because there are fewer frames to decrypt.

PHDSPlaybackExpiration

24Hours

The duration within which the content playback is available. Possible values are 24Hours and Unlimited.

PHDSOutputProtection

none

The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

HdsDrmContentID

Logical path to jit.conf

You can manually specify the content ID, which is used for all the files.

Adobe Access configuration

Directive

Default Value

Description

HdsDrmCommonKeyFile

None

A common key used to protect content at this location. HdsDrmCommonKeyFile path is relative to rootinstall/Apache2.4.

HdsDrmLicenseServerURL

None

The URL of the license server used for protecting content.

HdsDrmTransportCertFile

None

The transport certificate used for protecting content.

HdsDrmLicenseServerCertFile

None

The License server certificate used for protecting content.

HdsDrmPackagerCredentialFile

None

The Packager credential used for protecting content.

HdsDrmPackagerCredentialPassword

None

The Packager credential password for the configured packager credential file.

HdsDrmPolicyFile

None

Policy for protecting content.

HdsDrmContentID

None

You can manually specify the content ID, which is used for all the files.

The following example enables and configures PHDS in the httpd.conf file. These settings apply to every live event configured for this server.

Application level

When Application level configuration is specified, the
protection parameters specified are applied to the particular application
(to all the events under the application). Encryption parameters
specified in Event/Server level will be ignored.

Common configuration

Element

Default

Description

HDS/Recording/ContentProtection

"allow" in Application.xml

"false" in
Event.xml

Container element for content protection
configurations.

In Application.xml, set the enabled attribute
to "true" to enable content protection, "false" to disable
content protection, or "allow" to allow settings
in the Event.xml file to override the ContentProtection section
of the Application.xml file.

When enabled="allow",
the server uses none of the settings in the ContentProtection section
of the Application.xml file. If a ContentProtection section
is not specified in Event.xml, content protection is disabled because
the default value is "false" in Event.xml.

In
Event.xml, set the enabled attribute to "true"or "false".

HDS/Recording/ContentProtection/ProtectionScheme

None

Possible values are phds, FlashAccessV2,and FlashAccessV3.
For PHDS, use PHDS.

PHDS configuration

Element

Default

Description

HDS/Recording/ContentProtection/PHDS

None

Container for PHDS encryption settings.

HDS/Recording/ContentProtection/PHDS/CommonKeyFile

None

A relative path to the common-key.bin file
containing a base key used (along with the content ID) to generate
the final content encryption key.

This file is generated during
installation to rootinstall/creds/common-key.bin.

If
you define the CommonKeyFile in the Application.xml
file, the server looks for the file relative to the application
directory.

If you define the CommonKeyFile in
the Event.xml file, the server looks for the file relative to the
event folder.

HDS/Recording/ContentProtection/PHDS/PlaybackExpiration

24Hours

The protection policy. The policy determines
the duration within which content playback is available. Possible
values are 24Hours and Unlimited.

HDS/Recording/ContentProtection/PHDS/VideoEncryptionLevel

2

The level of encryption for the content
(0-low,1-medium,2-high). Lower settings mean "partial encryption",
where a subset of the samples (like video keyframes) are encrypted.
This can improve playback performance on the client, since there
will be fewer frame to decrypt.

HDS/Recording/ContentProtection/PHDS/UpdateInterval

60

The frequency at which the server generates
the drm metadata, in minutes.

HDS/Recording/ContentProtection/PHDS/OutputProtection

None

The required hardware Output Protection
of media on the client. Possible values are None, BestEffort, and Required.

In this case, copy the common-key.bin file from the rootinstall/creds
directory to the root-install/applications/livepkgr/ directory.

Event level

When Event level configuration is specified, the protection
parameters specified are applied to the particular event. Encryption
parameters specified in Application/Server level will be ignored.

Common configuration

Element

Default

Description

Recording/ContentProtection

"allow" in Application.xml

"false" in
Event.xml

Container element for content protection
configurations.

In Application.xml, set the enabled attribute
to "true" to enable content protection, "false" to disable
content protection, or "allow" to allow settings
in the Event.xml file to override the ContentProtection section
of the Application.xml file.

When enabled="allow",
the server uses none of the settings in the ContentProtection section
of the Application.xml file. If a ContentProtection section
is not specified in Event.xml, content protection is disabled because
the default value is "false" in Event.xml.

In
Event.xml, set the enabled attribute to "true"or "false".

Recording/ContentProtection/ProtectionScheme

None

Possible values are phds, FlashAccessV2,and FlashAccessV3.
For PHDS, use PHDS.

PHDS configuration

Element

Default

Description

Recording/ContentProtection/PHDS

None

Container for PHDS encryption settings.

Recording/ContentProtection/PHDS/CommonKeyFile

None

A relative path to the common-key.bin file
containing a base key used (along with the content ID) to generate
the final content encryption key.

This file is generated during
installation to rootinstall/creds/common-key.bin.

If
you define the CommonKeyFile in the Application.xml
file, the server looks for the file relative to the application
directory.

If you define the CommonKeyFile in
the Event.xml file, the server looks for the file relative to the
event folder.

Recording/ContentProtection/PHDS/PlaybackExpiration

24Hours

The protection policy. The policy determines
the duration within which content playback is available. Possible
values are 24Hours and Unlimited.

Recording/ContentProtection/PHDS/VideoEncryptionLevel

2

The level of encryption for the content
(0-low,1-medium,2-high). Lower settings mean "partial encryption",
where a subset of the samples (like video keyframes) are encrypted.
This can improve playback performance on the client, since there
will be fewer frame to decrypt.

Recording/ContentProtection/PHDS/UpdateInterval

60

The frequency at which the server generates
the drm metadata, in minutes.

Recording/ContentProtection/PHDS/OutputProtection

None

The required hardware Output Protection
of media on the client. Possible values are None, BestEffort, and Required.

The following is an example of an Application.xml file that allows protection configurations at the event level and tells the server to look for configurations in the Event.xml file for each live event:

In this case, copy the common-key.bin file from the rootinstall/creds
directory to the rootinstall/applications/livepkgr/events/_definst_/liveevent
directory.

License chaining

Adobe Media Server will support embedding leaf licenses
in the DRM metadata from the policy generated using a chained license.
Adobe Media Server will need the license server credential and the
credential password configured so that the root license from the
policy can be used to encrypt the CEK contained in the embedded
leaf license.

If the configuration for embedding the leaf license is turned
off, Adobe Media Server will still support such a policy except
that the leaf license will not be embedded in the DRM metadata.

Note:

The support will be limited to a single license server
credential and credential-password pair.

Key rotation

Adobe Media Server 5 supports Key Rotation for protected
HTTP Dynamic Streaming when used with Adobe Access and PHDS. You
can encrypt content packaged with AMS 5 using a set of keys. You
can periodically change the encryption key and specify how often
the content encryption key is to be changed.

Server level - Adobe Access

Parameter

Description

Default value

HdsDrmEnableKeyRotation

Whether to use Key Rotation with AAXS protection scheme

false

HdsDrmKeyRotationInterval

Key rotation interval to be used (in seconds),
when enabling key rotation.

Key rotation interval to be used (in seconds),
when enabling key rotation.

900 seconds

HDS/Recording/ContentProtection/FlashAccessV3/KeyRotationFilePath

The file containing the rotation keys to
be used. This file will contain a sequence of rotated keys used
to encrypt content. If no file is specified, randomly generated
keys will be used. The keys must be 16 bytes in length and specified
as hex values.

Randomly generated keys will be used (as
described below)

The following Application.xml will enable key rotation at Application level :

Key rotation interval to be used (in seconds),
when enabling key rotation.

900 seconds

Recording/ContentProtection/FlashAccessV3/KeyRotationFilePath

The file containing the rotation keys to
be used. This file will contain a sequence of rotated keys used
to encrypt content. If no file is specified, randomly generated
keys will be used. The keys must be 16 bytes in length and specified
as hex values.

Disable JIT encryption for F4F
content

When PHDS/Adobe Access protection is enabled, the server
ingests a stream and packages it into F4F stream data. The unencrypted
F4F data is taken as source and encrypted using the PHDS/Adobe Access
configurations.In order to force the server to store the ingested
stream as encrypted F4F data, and disable the just-in-time encryption
of the F4F data, a special configuration is required.

The following table contains the configuration directive for
enabling and disabling JIT encryption at server level:

httpd.conf tags:

Directive

Description

Default value

HttpStreamingJITEncryption

To disable just in time encryption, set
the value to “false”

true

<AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml tags:

Directive

Description

Default value

HDS/Recording/JITEncryption

To disable just in time encryption, set
the value to “false”

false

Note:

The tags HttpStreamingJITEncryption and JITEncryption both
must be set to false to disable JIT encryption.

The following configurations for <AMSInstall>conf/_defaultRoot_/_defaultVHost_/Application.xml enables PHDS protection:

<Application>
<!-- This section provides th e means to control the behavior of -->
<!-- application-specific HTTP dynamic s treaming f unctionality. -->
<HDS>
<!-- This section cont rols the behavior of HTTP live recording -->
<Recording>
<!-- The enabled attribute can be set to "true", "false" or "allow". -->
<!-- Content prote cted is enabled when the attribute is set to "true", -->
<!-- and disabled when set to "false". -->
<!-- If enabled is set to "allow", only then Event.xml have right to -->
<!-- override the ContentProtection tag completely. And none of the -->
<!-- settings inside the ContentProtection here will be used. And if -->
<!-- ContentProtection is also not specified in Event.xml, content -->
<!-- protection will be disabled by default. -->
<JITEncryption>false</JITEncryption>
<ContentProtection enabled="true">
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<OutputProtection>None</OutputProtection>
</PHDS>
</ContentProtection>
</Recording>
</HDS>
</Application>

The following configurations at <AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml enables Adobe Access protection:

<Application>
<!-- This section provides t he means to control the behavior of - ->
<!-- application-specific HTTP dynamic streaming fu nctionality. -->
<HDS>
<!-- This section controls the behavior of HTTP live recording -->
<Recording>
<!-- The enabled attribute can be set to "true", "false" or "allow". -->
<!-- Content protection is enabled when the attribute is set to "true ", -->
<!-- and disabled when set to "false". -->
<!-- If enabled is set to "allow", then Event.xml will -->
<!-- override the ContentProtection tag completely. And none of the -->
<!-- settings inside the ContentProtection will be used. And if -->
<!-- ContentProtection is not specified in Event.xml, then content -->
<!-- protection will be disabled by default. -->
<JITEncryption>false</JITEncryption>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV2</ProtectionScheme>
< FlashAccessV2>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>
http://<aaxs-test-server>/
</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
</ FlashAccessV2>
</ContentProtection>
</Recording>
</HDS>
</Application>

Configure system for encrypted
live stream in HLS and HDS

You do not need two different recording applications for HDS and HLS if JIT encryption is ON. The live content is stored unencrypted on the disk, and later encrypted dynamically using the HDS or HLS modules of Apache.By default JIT encryption is on unless the HttpStreamingJITEncryption and JITEncryption tags are set to false.Publishing one set of streams to Adobe Media Server for delivery with live PHLS and PHDS requires special configuration when JIT Encryption is off.When PHDS is enabled when JIT encryption is off , the server ingests a stream and packages it into encrpypted F4F data. However, PHLS requires unencrypted data as its source. It’s not possible to take the encrypted F4F data and encrypt it again for PHLS.To deliver protected content to Flash Player/AIR and iOS devices, configure your encoder to publish to two different applications, one for HDS and one for HLS.

Create two copies of the livepkgr application. Name them “livepkgr_hds” and “livepkgr_hls”.

Configure the <AMS-Install>/conf/_defaultRoot_/_defaultVHost_/Application.xml as following:

<Application>
<!-- This section provides the ways to control the behavi or of -->
<!-- application-specific HTTP dynamic streaming functionality. -->
< HDS>
<!-- This section controls the behavior of HTTP live recording -->
<Recording>
<!-- The enabled attribute can be set to "true", "false" or "allow" . -->
<!-- Content protected is enabled when the attribute is set to "true", -->
<!-- and disabled when set to "false". -->
<!-- If enabled is set to "allow", only then Event.xml have right to -->
<!-- override the ContentProtection tag completely. And none of the -->
<!-- settings inside the ContentProtection here will be used. And if -->
<!-- ContentProtection is also not specified in Event.xml, content -->
<!-- protection will be disabled by default. -->
< JITEncryption>false</JITEncryption>
<ContentProtection enabled="allow">
</ContentProtection>
</Recording>
</HDS>
</Application>

Configure the <AMS-Install>/applications/livepkgr_hds/Application.xml as following:

Publish streams from Flash Media Live Encoder to the livepkgr_hds and livepkgr_hls applications. Use the stream name livestream%i?adbe-live-event=liveevent.

The request URL for PHDS is http://<serveruri>/hds-live/_definst_/<liveevent>.f4m and the request URL for PHLS is http://<serveruri>/hls-live/_definst_/<liveevent>.m3u8. Because the directive HttpStreamingURLSandboxLevel is set to "App", the request URL doesn’t use the application name.

note: In this case, copy the common-key.bin from <AMS Install>/creds directory to <AMS Install>/applications/livepkgr_hds/.

Similarly, by following the above mentioned steps, Adobe Access configurations can also be used with HDS and HLS.

VOD use case

Configure PHDS for on-demand streaming at the following levels:

Server—rootinstall/Apache2.4/conf/httpd.conf

Stream—create a jit.conf file and copy it to the same directory as the content.

Getting started

To quickly get started with PHDS, you need to understand
the following directives:

Directive

Default value

Description

EncryptionScope

None

Possible values are content and server.

When
the value is content, PHDS configuration settings
in the jit.conf file override settings in the httpd.conf. file.

When
the value is server, the server uses configuration
settings in the httpd.conf file.

ProtectionScheme

None

A string determining the type of protection.
For PHDS, use PHDS.

The simplest way to configure on-demand PHDS is to uncomment
two lines in the Apache httpd.conf file:

The sample1_1500kbps.f4v media file comes with the default installation
of AMS under <root-install>/webroot. Play back the
media file sample1_1500kbps.f4v using the following URI:http://<server-ip>/hds-vod/
sample1_1500kbps.f4v.f4m

Detailed configuration

The following sections provides details configurations
for both PHDS and Adobe Access.

Server level

The following sections explain how content protection can
be applied across the server:

Common configurations

Directive

Default value

Description

EncryptionScope

content

Possible values are content and server.

When
the value is content, PHDS configuration settings
in the jit.conf file override settings in the httpd.conf. file.

When
the value is server, the server uses configuration
settings in the httpd.conf file.

Serverwide configuration
that sets encryption policy.server - ALL content is protected according
to the apache configuration (jit.conf is ignored).content - Content
is protected/unprotected according the to jit.conf file.off - ALL
content are unprotected (jit.conf is ignored) .

ProtectionScheme

PHDS

A string determining the type of protection.
Possible values are PHDS and FlashAccessV2.

PHDS configurations

Configure the following directives for the jithttp_module in
the Apache httpd.conf file:

Directive

Default value

Description

PHDSCommonKeyFile

creds/common-key.bin

This file is generated during installation.

A common key used to protect content at this location.

PHDSPlaybackExpiration

24Hours

The duration within which content playback is available. Possible values are 24Hours and Unlimited

PHDSOutputProtection

None

The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

PHDSVideoEncryptionLevel

2

The level of encryption for the content (0-low,1-medium, 2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client, because there are fewer frames to decrypt.

HdsDrmContentID

Logical path to jit.conf

You can manually specify the content ID, which is used for all the files.

Adobe Access configurations

Directive

Default Value

Description

JitDrmCommonKeyFile

None

A common key used to protect content at this location. JitDrmCommonKeyFile path is relative to rootinstall/Apache2.4.

JitDrmLicenseServerURL

None

The URL of the license server used for protecting content.

JitDrmTransportCertFile

None

The transport certificate used for protecting content.

JitDrmPackagerCredentialFile

None

The Packager credential used for protecting content.

JitDrmPackagerCredentialPassword

None

The Packager credential password for the configured packager credential file.

JitDrmPolicyFile

None

Policy for protecting content.

The following example adds a new Location directive.
Request that include /phds serve protected content.
This configuration doesn’t define PHDSPlaybackExpiration, PHDSVideoEncryptionLevel,
or PHDSCommonKeyFile, but relies on their default
values:

When a media player request content from the /webroot/vod folder, it is protected. For example, request the following URL from the sample video player:

http://localhost:8134/phds/sample1_1500kbps.f4v.f4m

To verify that the content is protected, enter the same URL into the address bar of a web browser. The XML response contains a <drmAdditionalHeader> element like the following. The drmAdditionalHeader shows the path of the file without the file name.

The path to a policy file. File is in Adobe
Access policy format.The path should be absolute or relative to
the jit.conf file.

The following httpd.conf file sets EncryptionScope to content.
This setting tells the server that configuration settings in the
jit.conf file override settings in the httpd.conf file. Use this
setting to configure PHDS/AdobeAccess for individual sets of media.

Key rotation

Adobe Media Server 5 supports Key Rotation for protected
HTTP Dynamic Streaming when used with Adobe Access and PHDS. You
can encrypt content packaged with AMS 5 using a set of keys. You
can periodically change the encryption key and specify how often
the content encryption key is to be changed.

Adobe Access Settings

Parameter

Description

Default value

JitDrmEnableKeyRotation

Whether to use Key Rotation with FAXS protection scheme.
In this case, randomly generated keys are used.

false

JitDrmKeyRotationInterval

Key rotation interval to be used (in seconds),
when enabling key rotation.

License chaining

Adobe Media Server will support embedding leaf licenses
in the DRM metadata from the policy generated using a chained license.
Adobe Media Server will need the license server credential and the
credential password configured so that the root license from the
policy can be used to encrypt the CEK contained in the embedded
leaf license.

If the configuration for embedding the leaf license is turned
off, Adobe Media Server will still support such a policy except
that the leaf license will not be embedded in the DRM metadata.

Note:

The support will be limited to a single license server
credential and credential-password pair.

SWF verification for Protected
HTTP Dynamic Streaming

Create a list of authorized SWF files, called a whitelist.
These files are specified in the embedded license and sent to the
client inside the DRM metadata. On the client, SWF verification
is enforced by Adobe Access inside of Flash Player and AIR.

To create the whitelist, use Whitelist tool (rootinstall/tools/Whitelist).

Workflow

Enable PHDS.

Use the whitelist tool to generate a whitelist of authorized
SWF files. The whitelist file can have any name. It must have the
.whitelist or .airwhitelist extension.

Copy the whitelist to the server.

Enable SWF verification and indicate the location of the
whitelist in the following locations:

(Live)—Application.xml
or Event.xml

(On-demand)—httpd.conf or jit.conf

Publish a stream to the livepkgr application on Adobe Media
Server.

Request a stream from an OSMF media player. The syntax of
the request URL does not change for SWF verification.

The
server embeds the SWF hashes from the whitelist into the .drmmeta
file. Flash Player attempts to verify the SWF hash during DRM authentication.

(Live) The server looks for the whitelist in the following
order:

The application folder. (The default application
for live HTTP streaming is rootinstall/applications/livepkgr).

A path in the /SWFVerification/WhitelistFolder element
of Application.xml

A path in the /SWFVerification/WhitelistFolder element
of Event.xml

(On-demand) The server looks for the whitelist in the httpd.conf/jit.conf
file in the same folder as the on-demand content.

If the hashes don’t match, Flash Player throws an runtime error
(3310) and the OSMF media player stops requesting fragments.

SWF verification configurations
for live PHDS

To enable SWF verification for live PHDS, enable PHDS at
the server level (httpd.conf), the application level (Application.xml)
or the event level (Event.xml).

Configure SWF verification for live HDS at the server level (httpd.conf)

Add the following elements to the hds-live directive
to enable SWF verification:

Element

Description

Default

PHDSSWFVerification

The container for SWF verification configuration.
To enable SWF verification, set the enabled attribute to "true".

"false"

PHDSSWFWhiteListFolder

Specify the location of SWF whitelist

The application folder of the live event.

Configure SWF verification for live HDS at the application level (Application.xml) or at the event level (Event.xml).

In Application.xml, SWFVerification is located
at //Application/HDS/Recording/ContentProtection/PHDS/SWFVerification.In
Event.xml, SWFVerification is located at //Event/Recording/ContentProtection/PHDS/SWFVerification.

Element

Description

Default

/SWFVerification

The container for SWF verification configuration.
To enable SWF verification, set the enabled attribute
to "true".

"false"

/SWFVerification/WhiteListFolder

A path to the folder containing the whitelist.
The folder can contain more than one whitelist file.

The
path can be absolute or relative. A relative path in the Application.xml
file is relative to the application folder. A relative path in the
Event.xml file is relative to the event folder. Backwards relative
paths are not supported for security reasons.

This configuration
is optional. If no value is given, the server looks in the application folder
of the live event.

The application folder of the live event.

Configure the following settings in the Apache httpd.conf file
to configure cache control for the bootstrap, fragment, manifest
and drmmeta responses:

A path to the folder containing the whitelist. The
folder can contain more than one whitelist file.

The path
can be absolute or relative. A relative path is relative to the
folder containing the jit.conf file. Backwards relative paths are not
supported for security reasons.

This configuration is optional.
If no value is given, the server looks in the folder containing
the jit.conf file.

The folder containing the media.

Whitelist tool

Use the whitelist tool to generate a list of verified SWF
and AIR files. The server uses the whitelist to perform SWF verification
for Flash Player and AIR applications.

The whitelist tool takes SWF files, AIR certificate files, and
AIR signature files and creates a SHA256 hash for each file. The
tool writes the hashes as Base64 encoded text to one or more text
files and outputs the text files. The text files use the filename
extensions .whitelist and .airwhitelist.

The following table lists the command line options and arguments
for the whitelist tool:

Option

Optional

Description

--in <file|dir>

No

A SWF file, an AIR signature file, or an
AIR certificate file. A directory containing SWF files. The dir parameter
does not support AIR files.

To specify multiple files or
directories, use multiple --in options.

For
SWF files, the tool outputs a file with the extension .whitelist.
For AIR signature and certificate files, the tool outputs a file
with the extension .airwhitelist.

--log <file|dir>

Yes

An existing directory path where default
whitelist.properties file is present or the full path name to the
properties file. Customize logging in the .properties file.

The
whitelist tool supports log4j Apache logging. By default, logging
messages are routed to the console. To reroute them, use the --log option.

--out <output file>

Yes

The name for the .whitelist file and the
.airwhitelist file. If --out is not specified,
creates .whitelist and .airwhitelist files for each .swf file and
.xml file.

If --out is specified, --outDir is
ignored and the file is saved to the directory the tool is being
run from.

--outDir <outputdir>

Yes

Creates an output directory and saves the
.whitelist file to the directory.

If --outDir is
not specified, the .whitelist files and .airwhitelist files are
created in the directory the tool is being run from. If --outDir is
a relative path, it is relative to the directory the tool is being
run from.

--version

Yes

Prints the SWF verification version number
in the .whitelist file.

The following table lists examples of running the whitelist tool:

Example

Result

whitelist --in foo.swf --in bar.swf

Creates a foo.swf.whitelist and a bar.swf.whitelist in the current directory.

whitelist --in signature.xml --in bar.swf

Creates signature.xml.airwhitelist and bar.swf.whitelist in the current directory.

whitelist --in foo.swf --in mydir

In this example, mydir is a directory containing bar.swf.

Creates a foo.swf.whitelist and a bar.swf.whitelist in the current directory.

whitelist --in signature.xml --in mydir

In this example, mydir is a directory containing bar.swf.

Creates a signature.xml.airwhitelist and a bar.swf.whitelist in the current directory.

whitelist --in foo.swf --in bar.swf --outDir outputdir

Creates an outputdir/foo.swf.whitelist file and an outputdir/bar.swf.whitelist file.

whitelist --in signature.xml --in bar.swf --outDir outputdir

Creates an outputdir/signature.xml.airwhitelist file and an outputdir/bar.swf.whitelist file.

whitelist --in foo.swf --in mydir --out outputfile

In this this example, mydir is a directory containing bar.swf.

Creates an outputfile.whitelist file in the current directory containing hashes for foo.swf and mydir/bar.swf.

whitelist --in signature.xml --in mydir --out outputfile

In this this example, mydir is a directory containing bar.swf.

Creates an outputfile.airwhitelist file containing hashes for signature.xml. Creates an outputfile.whitelist file contaning hashes for bar.swf. Both files are created in the current directory.

whitelist --in foo.swf --in mydir -out outputfile -outDir outputdir

This example, mydir is a directory containing bar.swf.

Creates an outputfile.whitelist in the current directory containing a hash for foo.swf and mydir/bar.swf.

Warning: When the --out option is specified, the tool ignores the --outDir option.

Creates an outputfile.airwhitelist file that contains the hashes for signature.xml. Creates an outputfile.whitelist file that contains hashes for mydir/bar.swf. Both files are created in the current directory.

Warning: When the --out option is specified, the tool ignores the --outDir option.

whitelist --version

Displays "version 1.0".

If an input files has the same name as a previously input file,
both files are added to the whitelist.